For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!

Saturday, May 11, 2013

We're learning to fight submarines...

I get one of my daily information fixes via the DC3 Daily Dispatch. Kudo's to Jim and his outreach team! While many of these lists contain great reads, I'm certain you, like me, can't read everything. I'll skim the list, find the good stuff, and then skim the article to see if it was worthy of the title. If not, I go back to the next most interesting topic on my list, maybe the one about iOS containing potential malware --ooops, and iOS app contains potential malware. Huge difference!The problem is, I just spent probably 15 seconds evaluating each of those two pieces. So here's the deal. I receive 40 articles from this one list alone. That's 10 minutes of pure evaluation time, assuming I don't stop to read the entire piece. This is just one list, and probably one of the few that I actually take the time to read.

There are hundreds (thousands?) of these feeds that you could read daily. Do you read them all? Of course not. There are thousands of sources of tech intelligence. Do you read them all? Again, probably not. Do you aggregate them and mine them for nuggets? Some do, but probably not all of you. I know I've been through process of building a couple of these analytic systems. But you know what? Even if you aggregate that data, can you mine it for only non-false positive information, prioritize it by analytic confidence, sort it by what's useful to you, for your environment... Even if you could, would you know what to do with every piece of information received, aggregated, prioritized, sorted, and distilled? Many companies will say yes (I'd argue some are lying). Most companies will tell the truth --not a chance. In fact today, for much of the morning, I attended an ISC2 event. I was shocked (although I probably shouldn't have been) when the presenter asked the audience

"Who in the room can actually implement indicators, even if you have them?"

No hands went up. Not one.

So what's the answer?

Red Sky Alliance. Someone asked me the other day what the difference was between Red Sky, and all of the subscription based services. He was a guy writing a paper for his management, and needed accurate threat intelligence. When he came into Red Sky, on the first day, he asked a question. He posted a spreadsheet with all of the actors he'd been profiling --many defacers, etc., and asked for other information that people may be working on. On that same day, he received a bunch of information about criminal and espionage groups he'd never seen before. Not only that, analysts from at least a dozen companies welcomed him, and pushed him new information regarding some of the actors he'd listed. This was information he'd never seen before.He's a pretty smart dude, but even the smartest, when working alone, end up with a limited set of eyes, and therefore a limited set of data. Red Sky connects people. The result of this connection was crowd-sourced analysis by some of the best companies in dozens of industry segments. Within a day, this guy had more new data than he'd compiled on his own in however long he'd been researching. And, he made friends in about a dozen companies with really mature infosec/threat intelligence shops around the world. How cool is that?!

When I think back six or seven years ago, I was probably the first (and loudest) in the room, vowing never to give information away that might implicate the company I was working for at the time. We had tough attorneys and a CISO who made us all sign non-disclosure agreements. Everything about the activities we'd been fighting were kept in strict confidence, and on a need to know basis. Today, some of the biggest companies in the world share information about how they're being attacked, what they find, and how they fight it. In addition to Red Sky, others are sharing in their own circles -DSIE (defense companies have their own group), the Information Sharing and Analysis Centers have become popular again, and the government has no less than a dozen outreach programs to private industry (although they seem to have a rough time sharing between themselves!). Red Sky does things a little differently than the others, but still, information is moving. It's a great sign that things are getting better.

I'll close with this. I'm an old Navy guy, and I use the analogy "We're learning to fight submarines (in cyber space)." We lost a lot of ships to German U-boats during World War I. It resulted in the US Navy creating the 10th Fleet -- folks dedicated to creating our anti submarine warfare. The result? By World War II we not only could detect and kill enemy subs, but we had our own. Know what the Navy calls their cyber guys today? 10th Fleet.